U.S. patent application number 10/083762 was filed with the patent office on 2003-07-17 for public key encryption system.
Invention is credited to Soldera, David.
Application Number | 20030133566 10/083762 |
Document ID | / |
Family ID | 9928780 |
Filed Date | 2003-07-17 |
United States Patent
Application |
20030133566 |
Kind Code |
A1 |
Soldera, David |
July 17, 2003 |
Public key encryption system
Abstract
This invention relates to a variant of the El-Gamal public key
encryption scheme, which is provably secure against an adaptively
chosen ciphertext adversary using standard public-key cryptography
assumptions i.e. not the random oracle model. This new scheme has
roughly half the computational overhead and similar communication
overhead as the scheme by Cramer-Shoup.
Inventors: |
Soldera, David; (Bristol,
GB) |
Correspondence
Address: |
HEWLETT-PACKARD COMPANY
Intellectual Property Administration
P.O. Box 272400
Fort Collins
CA
80527-2400
US
|
Family ID: |
9928780 |
Appl. No.: |
10/083762 |
Filed: |
February 25, 2002 |
Current U.S.
Class: |
380/30 |
Current CPC
Class: |
H04L 9/3013 20130101;
H04L 9/002 20130101; H04L 2209/08 20130101 |
Class at
Publication: |
380/30 |
International
Class: |
H04L 009/00 |
Foreign Application Data
Date |
Code |
Application Number |
Jan 9, 2002 |
GB |
0200367.1 |
Claims
1. A public key encryption scheme using a private key, z, and a
public key, h, comprises the encryption of a message, m, within a
ciphertext, wherein an element of the encrypted ciphertext
containing the message is formed by a message product of a
variable, .epsilon., based on the public key, h, and an output of
an invertible deterministic method, .pi., operated on at least the
message, m, and a hash, H, of at least the message.
2. A public key encryption scheme as claimed in claim 1, wherein
the ciphertext includes at least one random element, u.sub.1.
3. A public key encryption scheme as claimed in claim 1, wherein
the invertible deterministic method is operated on the message, m,
an index, j, of the hash and a hash, H, over both the message, m,
and at least one random element, u.sub.1.
4. A public key encryption scheme as claimed in claim 1, wherein
the variable, .epsilon., based on the public key is the public key,
h, raised to the power of a random number, r.
5. A public key encryption scheme as claimed in claim 1, wherein
the ciphertext is decrypted using a private key, z, the at least
one random element u.sub.1, the message product, and the invertible
deterministic method, .pi..
6. A public key encryption scheme as claimed in claim 1, wherein
the invertible deterministic method, .pi., is operated on a check
for the decryption.
7. A public key encryption scheme as claimed in claim 6, wherein,
the hash, H, for the check is over the message and at least one
random element, u.sub.1.
8. A public key encryption scheme as claimed in claim 1, wherein
the message product is represented by .epsilon..M, where
.epsilon.=h.sup.r (r is random) and h=g.sup.z, where g.sub.1 is a
first generator, z is a randomly chosen private key and M=.pi.(m,
j, t) where .pi. is the invertible deterministic method, m is the
message, j is a random index of the hash and t=H.sub.j (m,
g.sub.1.sup.r, g.sub.2.sup.r), where H.sub.j is the j.sup.th hash
and g.sub.2 is a second generator.
9. A public key encryption scheme as claimed in claim 1, wherein
the ciphertext includes said at least one random element,
u.sub.1.
10. A public key encryption scheme as claimed in claim 1, wherein
at least one of said random elements, u.sub.1, is used to decipher
the ciphertext, in conjunction with the private key, z, to
determine the output, M, of the invertible deterministic method,
.pi., which output is then inverted to give an original input and
hence the message, m.
11. A public key encryption/decryption method makes use of a
ciphertext that includes a check element, t, wherein a check made
during decryption is a hash, H, over at least the encrypted
message, m.
12. A public key encryption/decryption method as claimed in claim
11, wherein the hash, H, is over the message, m, and at least one
random element, u.sub.1.
13. A public key encryption method includes creating a ciphertext
requiring at most 4 exponentiations to encrypt, including
exponentiations for each of at least two random elements, u.sub.1,
u.sub.2 and an exponentiation for a public key, h, wherein a
message for encryption does not require an exponentiation to
encrypt.
14. A public key encryption method as claimed in claim 13, wherein
the method includes 3 exponentiations, being for a first random
element, u.sub.1, a second random element, u.sub.2, and for the
public key, h.
15. A public key encryption/decryption method includes decrypting a
ciphertext with at most 2 exponentiations, including an
exponentiation using a private key, z, to allow recovery of an
encrypted message, m.
16. A public key encryption/decryption method as claimed in claim
15, wherein only one exponentiation is required.
17. A public key encryption/decryption method involves creating a
ciphertext and. decrypting the ciphertext, in which a public key
requires no more than 3 group elements and a private key requires
no more than one group element, whilst still providing a provably
secure method.
Description
[0001] This invention relates to a public key encryption scheme and
to a method of encrypting and/or decrypting using public key
encryption.
[0002] In 1998 Cramer-Shoup (CS) (Cramer, R. and Shoup, V. A
practical public key cryptosystem provably secure against adaptive
chosen ciphertext attack. CRYPTO'98. LNCS 1462, pg 13-25.
Springer-Verlag, California, 1998) presented a new El-Gamal style
(El-Gamal, T. A public key cryptosystem and signature scheme based
on discrete logarithms. IEEE Trans. Inform. Theory, 31, pg 469-472,
1985) public key encryption scheme that was the first efficient and
provably secure scheme based solely on standard intractability
assumptions. The contribution of CS was their scheme was efficient
and yet did not rely on the random oracle (RO) assumption (see
Bellare, M. and Rogaway, P. Optimal asymmetric encryption--how to
encrypt with RSA.EUROCRYTP'94. LNCS 950, pg 92-111.
Springer-Verlag, 1994 for more information on random oracles).
However, schemes that rely on the RO model, are still more
efficient than the CS scheme. Recent improvements to CS (see for
example Shoup, V. Using hash functions as a hedge against chosen
ciphertext attack. EUROCRYPT'00. LNCS 1807, pg 275-288.
Springer-Verlag, 2000 (this is actually a key encapsulation
scheme)) have increased its efficiency, but not to the point where
it can compete with the best RO schemes.
[0003] Using the RO model or standard assumptions for a proof of
security, represent opposite ends of the provable security
spectrum. The RO model yields extremely efficient (see Bellare
above) schemes yet practical implementations using hash functions
cannot hope to achieve actual RO's. At the other end of the
spectrum are the standard intractability assumptions, they give us
much more confidence in security, yet the schemes that are
available are still too inefficient (at least compared to RO
schemes) for the majority of practical implementations.
[0004] It is an object of the present invention to address the
above disadvantages to seek to provide a cryptosystem having more
practical implementation together with more provable security.
[0005] According to a first aspect of the present invention a
public key encryption scheme using a private key, z, and a public
key, h, comprises the encryption of a message, m, within a
ciphertext, wherein an element of the encrypted ciphertext
containing the message is formed by a message product of a
variable, .epsilon., based on the public key, h, and an output of
an invertible deterministic method, .pi., operated on at least the
message, m, and a hash, H, of at least the message.
[0006] The ciphertext preferably includes at least one random
element, u.sub.1.
[0007] Preferably, the invertible deterministic method is operated
on the message, m, an index, j, of the hash and a hash, H, over
both the message, m, and at least one random element, u.sub.1,
preferably two random elements u.sub.1, u.sub.2.
[0008] The variable, .epsilon., based on the public key is
preferably the public key, h, raised to the power of a random
number, r.
[0009] The ciphertext may be decrypted using a private key, z, the
at least one random element u.sub.1, the message product, and the
invertible deterministic method, .pi..
[0010] The invertible deterministic method, .pi., may be operated
on a check for the decryption. The check may be the hash, H, over
at least the message, m. Preferably, the hash, H, for the check is
over the message and at least one random element, u.sub.1.
[0011] Preferably, the message product is represented by
.epsilon..M, where .epsilon.=h.sup.r (r is random) and
h=g.sub.1.sup.z, where g.sub.1 is a first generator, z is a
randomly chosen private key and M=.pi. (m, j, t) where .pi. is the
invertible deterministic method, m is the message, j is a random
index of the hash and t=H.sub.j (m, g.sub.1.sup.r, g.sub.2.sup.r),
where H.sub.j is the j.sup.th hash and g.sub.2 is a second
generator.
[0012] The invertible deterministic method may be a squaring.
[0013] The ciphertext preferably includes said at least on random
element, u.sub.1, preferably both random elements, u.sub.1,
u.sub.2.
[0014] At least one of said random elements, u.sub.1, is preferably
used to decipher the ciphertext, in conjunction with the private
key, z, to determine the output, M, of the invertible deterministic
method, .pi., which output is then preferably inverted to give an
original input and hence the message, m.
[0015] According to a second aspect of the present invention a
public key encryption/decryption method makes use of a ciphertext
that includes a check element, t, wherein a check made during
decryption is a hash, H, over at least the encrypted message,
m.
[0016] Preferably, the hash, H, is over the message, m, and at
least one random element, u.sub.1, preferably two random elements,
u.sub.1, u.sub.2.
[0017] The invention thereby advantageously relies on the
collision-free aspects of a hash. The hash may be SHA-1.
[0018] According to a third aspect of the present invention a
public key encryption method includes creating a ciphertext
requiring at most 4 exponentiations to encrypt, including
exponentiations for each of at least two random elements, u.sub.1,
u.sub.2 and an exponentiation for a public key, h, wherein a
message for encryption does not require an exponentiation to
encrypt.
[0019] The method preferably includes 3 exponentiations, being for
a first random element, u.sub.1, a second random element, u.sub.2,
and for the public key, h.
[0020] The method advantageously requires fewer exponentiations
than previous methods, whilst still being provably secure, thus
having a significantly lower computational overhead compared to
previous methods.
[0021] According to a fourth aspect of the invention a public key
decryption method includes decrypting a ciphertext with at most 2
exponentiations, including an exponentiation using a private key,
z, to allow recovery of an encrypted message, m.
[0022] Preferably, only one exponentiation is required.
[0023] The method advantageously requires fewer exponentiations
than existing methods, whilst still being provably secure. Thus
there is a significantly lower computational overhead involved in
decryption.
[0024] According to a fifth aspect of the invention a public key
encryption/decryption method involves creating a ciphertext and
decrypting the ciphertext, in which a public key requires no more
than 3 group elements and a private key requires no more than one
group element, whilst still providing a provably secure method.
[0025] The invention extends to a message encrypted according to
any one of the previous aspects.
[0026] The invention extends to a recordable medium bearing a
ciphertext encrypting a message encrypted according to the previous
aspects.
[0027] The invention extends to a computer operable to perform any
of the previous aspects.
[0028] The invention extends to a recordable medium bearing a
computer program operable to perform any of the above aspects.
[0029] All of the features described herein may be combined with
any of the aspects or parts of the invention as set out above.
[0030] A specific embodiment of the present invention will now be
described with reference to the accompanying drawing, in which:
[0031] FIG. 1 is a schematic diagram of the encryption and
decryption of a message.
[0032] Below is described a new public key encryption scheme, which
starts to bridge the gap (discussed in the introduction above) in
efficiencies of practical implementation of such encryption, while
still having its security rely solely on standard intractability
assumptions. Compared to the CS scheme mentioned above, this new
scheme has a similar communication overhead but requires only 4
exponentiations in total (for both encryption and decryption)
compared to 8 for the most efficient (pure public key) version of
CS. In terms of offline storage, if CS and the new scheme are used
in the same group, then CS requires 5 group elements to represent
its public key and 5 for its private, whereas the new scheme
requires 3 for its public key and 1 for its private. Thus the
contribution of this invention is to present a provably secure
public key encryption scheme based on standard intractability
assumptions, where the efficiency of the scheme rivals those
schemes that rely on the random oracle model.
[0033] FIG. 1 shows an encryption module 10, which forms part of a
first computer 12. The encryption module 10 operates a computer
program to encrypt a message 14 in a ciphertext 16. The message 14
encrypted in the ciphertext 16 is then transmitted or passed to a
third party for decryption with a computer program running on a
decryption module 18 of a second computer 20.
[0034] The implementation of the method described herein is
applicable to all types of public key encryption already in use,
for example the transmission of messages and data securely over
computer networks, either local networks or global networks (such
as the internet). The method can be used as a computer program and
operated on a message to be encrypted and then decrypted by a user
with the relevant key, as is well known in the art.
[0035] 1.1 Notation
[0036] We use standard notations and conventions for writing
probabilistic algorithms and experiments. If A is a probabilistic
algorithm, than A(x.sub.1, x.sub.2, . . . ; r) is the result of
running A on inputs x.sub.1, x.sub.2, . . . and coins r. We let
y.rarw.A(x.sub.1, x.sub.2, . . . ) denote the experiment of picking
r at random and letting y be A(x.sub.1, x.sub.2, . . . ; r). If S
is a finite set then x.rarw.S (or x.di-elect cons..sub.R S) is the
operation of picking an element uniformly from S.
[0037] If b is a bit then {overscore (b)} is its complement. {0,1}*
is a binary string of arbitrary length and {0,1}.sup.l is a binary
string of length l. The length of a string x is denoted by
.vertline.x.vertline., and the concatenation of strings x and y is
denoted by x.parallel.y. The ith bit of x is denoted by x.sub.i and
the substring of x from x.sub.i to x.sub.j, where i.ltoreq.j, is
denoted by x.sub.[i]. A function .function.: .fwdarw. is negligible
if for every constant c.gtoreq.0 there exists an integer k.sub.c
such that .function.(k).ltoreq.k.sup.-c for all
k.gtoreq.k.sub.c.
[0038] 1.2 Definitions
[0039] Industinguishability of encryptions against an adaptive
chosen ciphertext (IND-CCA2) adversary is the standard accepted
notion of security for a public key encryption scheme. The basic
idea behind an IND-CCA2 adversary is they are given access to an
encryption and decryption oracle, they then choose two messages,
one of which gets encrypted (they do not know which). They are then
presented with the ciphertext of the encrypted message and asked to
determine which of the two messages was encrypted. They must
succeed with probability non-negligibly better than 1/2. The only
restriction is the adversary may not query the decryption oracle
with the challenge ciphertext.
[0040] We consider the adversary A as running in two stages, a
`find` stage and a `guess` stage. The find stage is responsible for
finding the pair of messages (it will also output some state
information s) and the guess stage is responsible for determining
which message was encrypted in the challenge ciphertext.
[0041] A formal definition of IND for any type of attack is given
in Definition 1, but for a more complete treatise on this area see
Bellare, M., Desai, A., Pointcheval, D., and Rogaway, P. Relations
among notions of security for public-key encryption schemes.
CRYPTO'98. LNCS 1462, pg 26-45. Springer-Verlag, California, 1998.
For example other types of attack are CPA and CCAI, see below for
definitions. In the definition (.cndot.) is a probabilistic key
generation algorithm, (.cndot.) is a probabilistic encryption
algorithm, (.cndot.) is a deterministic decryption algorithm and
(.cndot.) is an oracle. The public and secret key are represented
by pk and sk, respectively.
[0042] Definition 1 [IND-CPA, IND-CCA1, IND-CCA2] Let .PI.= be an
encryption scheme and let A be an adversary. For atk.di-elect
cons.{cpa, cca1, cca2} and k.di-elect cons. let
Advantage.sub.A,.PI..sup.ind-atk(k)=-
2.multidot.Pr[pk,sk).rarw.(1.sup.k);
(x.sub.0,x.sub.1,s).rarw.A.sup.O.sup.- .sub.1(find, pk);
b.rarw.{0,1};
[0043] y.rarw..sub.pk(x.sub.b): A.sup.O.sup..sub.2
(guess,x.sub.0,x.sub.1,- s,y)=b]-1
[0044] where
1 If atk = cpa then O.sub.1(.) = null and O.sub.2 (.) = null If atk
= cca1 then O.sub.1(.) = D.sub.sk(.) and O.sub.2(.) = null If atk =
cca2 then O.sub.1(.) = D.sub.sk(.) and O.sub.2(.) = D.sub.sk(.)
[0045] It is insisted that A(find, .cndot.) outputs x.sub.0,
x.sub.1 with
.vertline.x.sub.0.vertline.=.vertline.x.sub.1.vertline.. In the
case of CCA2, it also insisted that A(guess, .cndot.) does not ask
its oracle to decrypt y. We say that .PI. is secure in the sense of
IND-ATK if A being polynomial-time implies that
Advantage.sub.A..PI..sup.ind-atk(.cndot.) is negligible.
[0046] 2 The Basic Scheme
[0047] We encrypt messages m.di-elect cons.{0,1}.sup.n-2k and also
require a hash function H.sub.j: {0,1}.sup.*.fwdarw.{0,1}.sup.k
chosen from a family of universal one-way hash functions indexed by
j. All operations are performed in the group G of order q (q is a
large prime) in which there exists two generators g.sub.1 and
g.sub.2. There also exists some (invertible) deterministic method
.pi.(.cndot.) to encode a message as an element of G.
[0048] The private key is a randomly chosen z.di-elect cons.Z.sub.q
and the public key is h=g.sub.1.sup.z.
[0049] Encryption. We choose r.di-elect cons..sub.R Z.sub.q,
j.di-elect cons..sub.R Z.sub.2k and compute .epsilon.=h.sup.r,
t=H.sub.j(m, g.sub.1.sup.r, g.sub.2.sup.r) and M=.pi.(m, j, t). The
ciphertext is then
(u.sub.1, u.sub.2, e)=(g.sub.1.sup.r, g.sub.2.sup.r,
.epsilon..multidot.M)
[0050] Decryption. To decrypt (u.sub.1, u.sub.2, e) we compute
.epsilon.=u.sub.1.sup.z, 1 M = e
[0051] and recover the message from m, j, t=.pi..sup.-1(M). Finally
we check
t=H.sub.j(m, u.sub.1, u.sub.2)
[0052] If this holds we accept the message otherwise we reject.
[0053] If the group G is chosen to be the set of quadratic residues
a possible encoding method .pi.(.cndot.) would be simple squaring
(given m.parallel.j.parallel.t was interpreted as an element of
Z.sub.p modulo a large prime p of the form 2q+1). Then in step 2 of
the decryption, if neither square root yields a correct hash then
the output is also .O slashed..
[0054] The scheme described above has significant advantages over
the Cramer Shoup (CS) scheme because the number of exponentiations
(a good guide to computational overhead) is only three in the
encryption (.epsilon.=h.sup.r, g.sub.1.sup.r, and g.sub.2.sup.r),
whereas in CS 5 exponentiations are required (g.sub.1.sup.r,
g.sub.2.sup.r, e=h.sup.rm and v=c.sup.rd.sup.r.alpha..
[0055] In decryption the present scheme requires one exponentiation
for decryption (.epsilon.=u.sub.1.sup.z), whereas CS requires three
(u.sub.1.sup.z,
u.sub.1.sup.x.sup..sub.1.sup.+y.sup..sub.1.sup..alpha., and
u.sub.2.sup.x.sup..sub.2.sup.+y.sup..sub.2.sup..alpha.)
[0056] Consequently, the present scheme requires four
exponentiations whereas CS requires eight to encrypt and decrypt;
this represents a halving in the computational overhead of the
present scheme when compared to CS.
[0057] In addition, the security is provable (see below) in the
present scheme to a level that is comfortably within the definition
of negligible.
[0058] In the present scheme reliance is made on the collision free
properties of the hash function to provide the check. CS uses a
hash in the check (two times in fact), but it is within the complex
checking equation
u.sub.1.sup.x.sup..sub.1.sup.+y.sup..sub.1.sup..alpha.u.sub.2.su-
p.x.sup..sub.2.sup.+y.sup..sub.2.sup..alpha.=v. A hash function on
M, u.sub.1 and u.sub.2 in the present scheme provides greater
simplicity with good security and a computational overhead benefit,
as discussed above.
[0059] In the following a proof of security is given. Although such
a proof is beneficial it is not necessary to have the proof to
implement the scheme; it is merely a confirmation of the security
given by the scheme.
[0060] 3 Proof of Security
[0061] 3.1 DDHP
[0062] All the proofs rely on the difficulty of the Decision
Diffie-Hellman Problem (DDHP), the definition of which, from
Cramer, R. and Shoup, V. A practical public key cryptosystem
provably secure against adaptive chosen ciphertext attack.
CRYPTO'98. LNCS 1462, pg 13-25. Springer-Verlag, California, 1998
is given below.
[0063] Definition 2--[Cramer Shoup (above), pg. 16] Let G be a
group of large prime order q, and consider the following two
distributions:
[0064] the distribution R of random quadruples (g.sub.1, g.sub.2,
u.sub.1, u.sub.2).di-elect cons.G.sup.4;
[0065] the distribution D of quadruples (g.sub.1, g.sub.2, u.sub.1,
u.sub.2).di-elect cons.G.sup.4, where g.sub.1, g.sub.2 are random,
and u.sub.1=g.sub.1.sup.r and u.sub.2=g.sub.2.sup.r for random
r.di-elect cons..sub.q.
[0066] An algorithm that solves the DDHP is a statistical test that
can effectively distinguish these two distributions.
[0067] 3.2 The Full Scheme
[0068] We will prove the security of the basic scheme by proving
the security of an equivalent cryptosystem; a `full` version of the
basic scheme, this is presented below.
[0069] The full scheme encrypts messages m.di-elect
cons.{0,1}.sup.n-2k and requires a hash function H.sub.j:
{0,1}.sup.*.fwdarw.{0,1}.sup.k chosen from a family of universal
one-way hash functions indexed by j. All operations are performed
in the group G of order q (q is a large prime) in which there
exists two generators g.sub.1 and g.sub.2. There also exists some
(invertible) deterministic method .pi.(.cndot.) to encode a message
as an element of G.
[0070] The private key is two randomly chosen elements z.sub.1,
z.sub.2.di-elect cons.Z.sub.q and the public key is
h=g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2.
[0071] Encryption. We choose r.di-elect cons..sub.R Z.sub.q,
j.di-elect cons..sub.R Z.sub.k and compute .epsilon.=h.sup.r,
t=H.sub.j(m, u.sub.1, u.sub.2) and M=.pi.(m, j, t). The ciphertext
is then
(u.sub.1, u.sub.2, e)=(g.sub.1.sup.r, g.sub.2.sup.r,
.epsilon..multidot.M)
[0072] Decryption. To decrypt (u.sub.1, u.sub.2, e) we compute
.epsilon.=u.sub.1.sup.z.sup..sub.1u.sub.2.sup.z.sup..sub.2, 2 M =
e
[0073] and recover the message from m, j, t=.pi..sup.-1(M). Finally
we check
t=H.sub.j(m, u.sub.1, u.sub.2)
[0074] If this holds we accept the message otherwise we reject.
[0075] 3.3 Reducing the Full Scheme to the Basic Scheme
[0076] We show that the security of the fill scheme implies the
security of the basic scheme. Let B be an IND-CCA2 adversary with
an advantage in breaking the basic scheme. We will use B to
construct an IND-CCA2 adversary A with an advantage in breaking the
full scheme. The basic idea behind this reduction is that B will be
given a public key of the form
g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2, instead of
g.sub.1.sup.z, but B will not be able to tell the difference and
this allows A to use B's advantage.
[0077] We now define adversary A. A can run in two stages, a `find`
stage and a `guess` stage. The find stage is responsible for
finding a pair of messages to distinguish (it will also output some
state information s) and the guess stage is responsible for
distinguishing which message was encrypted in the challenge
ciphertext. Let .sub.A(.cndot.) be the decryption oracle that A has
access too.
2 Algorithm A(find, g.sub.1, g.sub.2, h, q, G) Run B(find, g.sub.1,
g.sub.2, h, q, G) When B makes a decryption query, y', respond with
m .rarw. D.sub.A( y') B returns (m.sub.0, m.sub.1, s) A returns
(m.sub.0, m.sub.1, s) Algorithm A(guess, m.sub.0, m.sub.1, s, y)
Run B(guess, m.sub.0, m.sub.1, s, y) When B makes a decryption
query, y' respond with m .rarw.D.sub.A( y') B returns b' A returns
b'
[0078] Any valid ciphertext that B produces will be of the form
(u.sub.1,
u.sub.2,(g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2).sup.rM)
since B encrypts with public key
h=g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..s- ub.2 hence any
valid ciphertexts can be passed to .sub.A(.cndot.) and will be
correctly decrypted. It follows that if B has an advantage then so
does A.
[0079] 3.4 The Hash Function
[0080] We shall recall some results from Carter, J. L., Wegman, M.
N. Universal Classes of Hash Functions. Journal of Computer and
System Sciences, 18, 143-154 (1979) about universal hash
functions.
[0081] Let all hash functions map a set into a set (and assume
>). If H is a hash function and x, y.di-elect cons.A, we
define
3 .delta..sub.H(x,y) = 1 if x .noteq. y and H(x) = H(y) {open
oversize brace} 0 otherwise
[0082] If .delta..sub.H(x, y)=1, then we say x and y collide under
H.
[0083] Let be a class of functions from to . We say that is
universal.sub.2 (the subscript indicates pairs) if for all x, y in
, .delta..sub.H(x, y).ltoreq./. That is, is universal.sub.2 if no
pair of distinct keys collide under more than (1/)th of the
functions.
[0084] We will now recall the proposition from [Wegman and Cater]
that we require for this paper.
[0085] Proposition [Wegman and Cater (above), pg146]--Let x be any
element of and any subset of . Let H be a function chosen randomly
from a universal.sub.2 class of functions (with equal probabilities
on the functions). Then the mean value of .delta..sub.H(x, y)
.ltoreq./.
[0086] Hence in this paper we are careful to use a hash function
that is randomly selected from a class of universal one-way hash
functions, thus making the probability of finding a collision, in
the absence of any other information, 1/.
[0087] Of course for the sake of correctness of the proof of
security a universal one-way hash function should be used, but
practical security is unlikely to be compromised by the use of more
`off-the-shelf` hash functions like SHA-1, and so these could be
used in an implementation of the scheme.
[0088] 3.5 Sketch of the Proof of Security
[0089] Now we show that the full scheme is secure against an
IND-CCA2 adversary. First we give the construction of the proof
(which is the same as that of CS). It is assumed there exists an
adversary A that can break the full scheme in the IND-CCA2 sense
and then we show how this adversary can unwittingly be used to help
solve what is considered a computationally unfeasible problem, in
this case the DDHP.
[0090] The proof requires the construction of a simulator.
Quadruples from either D or R (but not both) are input to the
simulator, which is then responsible for, the creation of keys,
simulation of an encryption oracle and simulation of a decryption
oracle. The adversary receives all its information, including
oracle queries, from the simulator.
[0091] The proof runs as follows. A quadruple is input and the
simulator creates a valid secret key and public key. The simulator
runs the find stage of A, and A returns two messages, m.sub.0 and
m.sub.1. The simulator then runs the simulated encryption oracle
which chooses a random bit b.di-elect cons.{0, 1}, encrypts Mb and
outputs the challenge ciphertext. The adversary cannot see the
simulated encryption oracle's choice for b.
[0092] The simulator then inputs the challenge ciphertext to the
guess stage of the A, and A outputs its guess, b', for the random
bit. Both the simulator and the adversary pass b and b'
respectively to a distinguisher that outputs 1 if b=b' otherwise
0.
[0093] When the input quadruple comes from R, the adversary A
cannot succeed in guessing b with any advantage. Alternatively,
when the input comes from D, then the simulator creates a perfectly
valid ciphertext and A can guess the bit b with its advantage.
[0094] Hence by observing the distribution of 0's and 1's that are
output by the distinguisher, it can be determined which
distribution the quadruples are coming from. If the quadruples are
coming from R then 1's will occur with probability 1/2 and 0's with
probability 1/2. The adversary will only be correct half the time,
as it has no advantage. If the quadruples come from D then the
adversary has an advantage and 1's will occur with probability
1/2+.alpha. (where a is the adversary's non-negligible advantage)
and 0's with probability 1/2-.alpha..
[0095] Hence, by observation of the output distribution, one has a
statistical test for the DDHP.
[0096] 3.6 IND-CCA2 Security for the Full Scheme
[0097] Theorem 2--If the Diffie-Hellman Decision Problem is hard in
the group G, then the scheme is secure against an adaptive chosen
ciphertext attack.
[0098] First the simulator is described. On input the DDH quadruple
(g.sub.1, g.sub.2, u.sub.1, u.sub.2) the simulator randomly chooses
two private keys z.sub.1, z.sub.2.di-elect cons.Z.sub.k and outputs
the public key as
h=g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2.
[0099] The simulator simulates the encryption oracle as follows. On
input two messages m.sub.0 and m.sub.1 it selects a random bit
b.di-elect cons.[0, 1], a random number j.di-elect cons..sub.R
Z.sub.k and computes:
e=(u.sub.1.sup.z.sup..sub.1u.sub.2.sup.z.sup..sub.2)
.multidot..pi.(m.sub.b, j, H(m, j, u.sub.1, u.sub.2))
[0100] The simulated encryption oracle outputs the ciphertext
(u.sub.1, u.sub.2, e).
[0101] The simulated decryption oracle simulates the decryption
algorithm as follows. On input (u.sub.1, u.sub.2, e) it computes: 3
M = e ( u 1 z 1 u 2 z 2 ) m, j, t=.pi..sup.-1(M)
[0102] If H(m, j, u.sub.1, u.sub.2)=t the simulated decryption
oracle outputs m, else it outputs .O slashed..
[0103] The aim now is to show that when the input comes from D the
simulator simulates the encryption and decryption oracles perfectly
(probabilistically) and the advantage of the adversary is apparent
at the distinguisher. Alternatively, if the input comes from R then
the aim is to show that the adversary can have no advantage in
guessing b.
[0104] The theorem follows from the following two lemmas.
[0105] Lemma 1--When the simulator's input comes from D, the
simulator simulates the encryption and decryption oracles
perfectly.
[0106] The output of the simulated encryption oracle is exactly the
same as the output of the real decryption oracle as
u.sub.1.sup.z.sup..sub.1u.-
sub.2.sup.z.sup..sub.2=g.sub.1.sup.rz.sup..sub.1g.sub.2.sup.rz.sup..sub.2=-
(g.sub.1.sup.z.sup..sub.1g.sub.2.sup.z.sup..sub.2).sup.r=h.sup.r
and so the ephemeral key is the same for both oracles.
[0107] If the simulated encryption oracle produces an
indistinguishable output from the actual encryption oracle (true
since the ephemeral key has the right form and otherwise the
simulation is identical in computation to the real oracle), and the
simulated decryption oracle behaves in the exactly same way as the
actual decryption oracle (they are also identical), then the
adversary's view is indistinguishable from their view in an actual
attack.
[0108] Lemma 2--When the simulator's input comes from R, the
distribution of the hidden bit is (essentially) independent from
the adversary's view.
[0109] When the quadruple comes from R we have
u.sub.1=g.sub.1.sup.r.sup..- sub.1 and
u.sub.2=g.sub.2.sup.r.sup..sub.2. We will show that the adversary's
view is independent of the hidden bit b by showing that if no
information about the secret keys is leaked, then the challenge
ciphertext is equally likely to be the encryption of m.sub.0 or
m.sub.1, or in fact any message.
[0110] Assuming the simulated decryption oracle only decrypts valid
ciphertexts, we now show that no information about the secret keys
is leaked by a valid ciphertext. Consider the following equations
from the public key and a valid ciphertext.
log h=z.sub.1+wz.sub.2
log .epsilon.=r log h=rz.sub.1+rwz.sub.2
[0111] Where g.sub.2=g.sub.1.sup.w and log refers to
log.sub.g.sub..sub.1. Clearly they are linearly dependant and leak
no information about z.sub.1 or z.sub.2.
[0112] Now consider the output of the simulated encryption oracle,
here we derive the following equation.
log .epsilon.=r.sub.1z.sub.1+r.sub.2wz.sub.2
[0113] We can arrange this and the public key equation as a set of
linear equations. 4 ( 1 w r 1 wr 2 ) ( z 1 z 2 ) = ( log h log
)
[0114] The determinant of the matrix is non-zero
w(r.sub.2-r.sub.1).noteq.- 0, and so these equations have a
solution z.sub.1 and z.sub.2 for any e, making its possible values
a permutation on G.
[0115] This means .epsilon. hides M.sub.b, as for every possible
M.sub.b there is an e consistent with e (e is fixed), and that
.epsilon. can be constructed from a pair of secret keys z.sub.1 and
z.sub.2 that are consistent with the public key.
[0116] Hence there exists an .epsilon. that decrypts the challenge
ciphertext e to any M. M could be any element of the group, but in
fact it may be invalid in the sense of not satisfying M=.pi.(m, j,
t) for any possible m, j and t, or if it satisfies M=.pi.(m, j, t)
for some m, j and t then the relation t=H(m, j, u.sub.1, u.sub.2)
may not be satisfied. The probability of choosing an .epsilon. that
decrypts e to an invalid M depends on .pi.(.cndot.), and we can say
without loss of generality that for all `good` choices of
.pi.(.cndot.) (see section 2 for a suggestion), the probability
that an adversary guesses a correct e is
O(2.sup..vertline.j.vertline.)/q, as there will be
O(2.sup..vertline.j.vertline.) valid M for a specific message. If,
for example, .pi.(.cndot.) performed a one-to-one mapping from its
input to group elements then (for the IND-CCA2 game) there would be
2.sup..vertline.j.vertline.+1 valid Mrs. For an appropriate
.vertline.j.vertline. it is a computationally infeasible problem to
guess a correct .epsilon.. Importantly, all messages have
2.sup..vertline.j.vertline. valid M's, hence an adversary has an
equal chance of finding an c that gives a valid M for any message,
and specifically an equal chance of finding an M giving m.sub.0 or
m.sub.1, and so the adversary can have no advantage in
distinguishing between them.
[0117] The above argument relies on the simulated decryption oracle
rejecting all invalid ciphertexts; otherwise information about
z.sub.1 and z.sub.2 may be leaked. Let a valid ciphertext be
(u.sub.1, u.sub.2, e), and an invalid one be (u.sub.1', u.sub.2',
e'). We consider possibly ciphertexts submitted to the simulated
decryption oracle.
[0118] 1) (u.sub.1', u.sub.2', e). If u.sub.1 or u.sub.2 (or any
combination thereof) is changed, then if the resulting ciphertext
was decrypted by the simulated decryption oracle this would violate
the collision property of the universal one-way hash function. If
the universal one-way hash function was chosen at random then there
is only a negligible chance (in the size of the output of the hash)
that a collision can be found (see section 3.4).
[0119] 2) (u.sub.1, u.sub.2, e'). The ephemeral key depends only on
u.sub.1 and u.sub.2, and we know these are unchanged, so the same
ephemeral key as was used to encrypt will be calculated by the
simulated decryption oracle. When e' is divided by the ephemeral
key, a multiple of M will be the result, call it aM. An upper bound
on the number of possible valid M's is
2.sup..vertline.m.vertline.+.vertline.j.vertline., .alpha. is
chosen from the group, which has size q, which upper bounds the
probability an adversary can guess an .alpha. that creates a valid
M (with a message that is more than likely unrelated to m.sub.b) as
2.sup..vertline.m.vertline.+.vertline.j.vertline./q. If these
parameters are chosen correctly this probability is negligible.
[0120] The adversary will attempt to do better than just guessing.
However, without knowing j an adversary cannot hope to reproduce or
modify e to e' in any way better than guessing, to cause the
simulated decryption to decrypt e'.
[0121] 3) (u.sub.1', u.sub.2', e'). This case is similar to case
2). Now (essentially) any e' is valid as long as u.sub.1' and
u.sub.2' cause the hash check to pass, but this represents a worse
probability of success than case 2) as with the lack of any other
information the probability of success is 1/q.sup.2.
[0122] Thus, the simulated decryption oracle will reject all
invalid ciphertexts, except with negligible probability.
[0123] Hence if the DDHP is a computationally unfeasible problem
then an IND-CCA2' attacker for the fill scheme cannot exist.
[0124] 4 Conclusion
[0125] A new scheme was created which was shown to be provably
secure against an IND-CCA2 adversary. The advantage of this new
scheme is that it is roughly twice as efficient as CS in terms of
computational overhead and has similar communication overhead, and
that its proof relies only on standard intractability assumptions
(it does not require the RO assumption).
* * * * *